This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Sense: Password Strength Lies in its Universality

I got another one of those emails the other day. You know, the ones that point to all the problems in the industry whilst espousing the virtues of the company’s security things and offering to set up a conversation with the CEO or send a free version of the aforementioned thing. This one spoke about all the problems we have with password strength (no arguments there) and went on to explain how their new proprietary system is going to kill passwords for good. Not. Gonna. Happen.

That position in particular – the one that states passwords are going to die in favor of an alternate authentication mechanism – is fundamentally flawed in a way that proponents of these schemes just can’t seem to fathom; humans don’t like them. Time and time again, I’m pointed to solutions which use soft tokens, QR codes or even physical devices where people are convinced they’re going to change the face of authentication forever. But they’re not, and here’s why:

Passwords, for all their flaws, are universally understood. Everyone knows how to create an account online, fill in some basic details and choose a password. Yes, they will almost certainly select one with low password strength and it will be one they’ve used before (and possibly already had leaked in a data breach), but they’ve just created an account. This is the real key here because this is usually the objective of the website’s being in the first place – to get subscribers.

Imagine an alternate reality, one where a technically superior authentication mechanism was used per the earlier spam message I received: someone goes to sign up on the service, they enter the usual personal info and then get down to this entirely new thing they’ve never seen before. They’re asked to download an app or scan a QR code or do something else contrary to their usual signup experience and inevitably, a bunch of them turn away because this is friction. Try selling that to the marketing manager. No matter how effective they are, security controls that introduce friction will be rejected by humans in huge numbers, this is precisely why less than one percent of Dropbox accounts have 2FA enabled.

So, we’re not going to get rid of passwords in the foreseeable future, but we are changing the way they’re used to bolster password strength. Consider the present situation with biometrics: Apple has done a great job with TouchID (less so with FaceID IMHO) and unlocking your phone with your finger is a beautiful user experience. But that doesn’t mean passwords go away, far from it. The first thing you do after taking a shiny new biometric-enabled iPhone out of the box is join it to the WiFi so there’s your first password. Next, you’ll probably restore an existing device from iCloud so there’s your second password. Finally, you’ll be able to set up biometrics but only after setting a PIN on the device for fallback purposes so now you’re up to three passwords already and you haven’t even been able to use the phone yet. The good news is that you’ll need each of those passwords much less frequently than what you did in previous times, but make no mistake, you’ll still have them and you’ll have them in greater numbers than ever before.

Passwords will survive not because they’re the right thing, but because they’re the easy thing.